Security Update for Gray GoPayment Card Reader

We recently learned from the University of Wisconsin, Madison about a security vulnerability with the gray GoPayment credit card reader made by our partner ID TECH. As soon as we learned about this vulnerability, we immediately started working with the university and ID TECH to test it and ensure that our GoPayment customers were not at risk.

Based on our testing, we believe that the risk of exploitation is low but could potentially enable malware to intercept credit card information when a card is swiped using the gray card reader. To protect our customers, we immediately started working on a security update to fix the issue.

This update will be available on Google Play on August 7, 2012 to GoPayment users on Android devices who received the gray card reader before July 16, 2012. The update will be available on the Apple App Store within one or two weeks for GoPayment users on an iPhone, iPad or iPod Touch who received the card reader in the U.S. before July 16, 2012. All card readers received in the U.S. after July 16, 2012 already have the security update installed and nothing needs to be done.

This update will take up to fifteen minutes to install while the card reader is connected to a mobile device (step-by-step instructions are listed below). Only those GoPayment users who need the update will be prompted within the GoPayment app to complete it. If you are not prompted within the next few weeks, you do not need the security update. To our knowledge, no customers have been affected and no data has been compromised.

We thank the University of Wisconsin, Madison for alerting us to this issue and making this research possible. In particular, we'd like to thank: WesLee Frisby and Benjamin Moench for identifying the vulnerabilities; Thomas Ristenpart for reporting this issue and working diligently with us as we fix it; and, Benjamin Recht and Thomas Ristenpart for assisting in the research that lead to the discovery.

FAQ:

How do I perform the update?

For GoPayment on Android Mobile Devices:

Update your GoPayment app from Google Play starting August 7, 2012 to version 2.7.2.

Make sure that you don't need to use GoPayment or your mobile device for up to 15 minutes.

Plug in your gray GoPayment card reader (If you have a different card reader, you don't need the update).

Make sure you are signed out of GoPayment.

Sign back in to GoPayment with your login and password.

Make sure that the gray card reader is selected. You should see an image of the card reader prompting you to swipe a card. If not, go to Settings and turn the Gray Audio Jack Reader "On."

Enter $0.01 as the transaction amount as though you are about to process a transaction (this transaction won't actually process, it is just a necessary step to prompt the update) and press "Next."

Press the "Update Now" button (you can also press "Do This Later" if it's not a good time).

Press the "Start Update" button and wait up to 15 minutes until the update is done. Do not use the phone, even to answer calls or respond to notifications, during this time.

For GoPayment on the iPhone, iPad or iPod Touch:

The GoPayment app update version 4.7.3 will be available in the Apple App Store by mid August. Once available, we will provide step-by-step instructions here for this update.

What is the security issue? In a rare scenario the card reader could enable malware to intercept credit card information when a card is swiped using the card reader with the GoPayment app.

How and when did you learn about the vulnerability? A team of researchers at the University of Wisconsin, Madison informed us in late May of the possible security vulnerability with the gray, round card reader manufactured by our partner ID TECH that we distribute with GoPayment.

What is the impact and risk level of this happening? After further testing, we believe that the risk level is low as there is a low likelihood of someone exploiting this vulnerability to harm our customers, and we are not aware of any instance of this vulnerability being exploited.

What have you done to fix it? Upon learning of this vulnerability, we immediately worked with our card reader partner, ID TECH, to investigate the issue and create an update to fix it. The update will be available on August 7, 2012 to GoPayment users on Android devices who received a gray card reader in the U.S. before July 16, 2012. It will be available to GoPayment users with an iPhone, iPad or iPod Touch who received the gray card reader in the U.S. before July 16, 2012 in one or two weeks. All card readers received in the U.S. after July 16th already have the security fix installed.

Why did you not alert customers when you first heard about the vulnerability? We did not publicize this vulnerability until we were close to having a fix in place because we believed the actual risk to be low and that publicizing it prematurely could actually increase the potential risk to our customers.

Have any users been affected? To our knowledge, no customers have been affected and no data has been compromised.